At the mercy of hackers

PUBLISHED : Tuesday, 17 April, 2012, 12:00am
UPDATED : Tuesday, 17 April, 2012, 12:00am



The number of malicious attacks on computers is rising rapidly, according to Hong Kong police. There were 11 hacking cases last year, compared to only one case in 2010. This year there have already been at least 10 reported cases.

Most computer attacks in Hong Kong target financial organisations. Some demanded payment. The nature of hacking has changed. Initially, most of it was done by hackers who wanted to show off their skills. Now much of hacking is fuelled by criminal activity.


A digital lifestyle

Hong Kong has high levels of internet use: 80 per cent of households have Broadband connection. According to the Office of the Telecommunications Authority, Hong Kong also enjoys one of the highest mobile subscriber rates in the world. About 60 per cent of Hong Kong people use smartphones.

Some analysts have predicted that mobile phones will overtake personal computers as the most common Web access device by next year.

Smartphones have revolutionised the way we go about our lives. Gone are the days when we walk into a bank to pay our bills. Many of us now use our computers or mobile phones to pay them.

Online shopping, too, has become more popular. More and more customers flock to websites like Taibao, eBay and Rakuten.

A PayPal-commissioned survey by the City University interviewed more than 1,200 local internet users. Three quarters of them said they made online payments at least once a month.

Complacency makes you a victim

Yet convenience and accessibility brought by the digital world have also created many opportunities for cyber criminals.

The survey also shows that many internet users are unaware of the dangers posed by cyber crime. Nearly 70 per cent of the respondents said they used the same password across multiple accounts. And six out of 10 never update online passwords for seven (on average) websites that hold their personal information.

'Despite rising fears of hacking and online attacks, most people do not act to change their risky online habits,' says Dr Daniel Tse Woon-kwan from CityU's Information Systems Department.

'Using our phones poses more of a risk than our computer. When we use our mobile phone to do online trading through a public WiFi, hackers will have more windows to hack into our phone and steal our information.'

Even if you do not engage in online trading, there are other risks. 'A hacker can alter the text you're sending out and manipulate your communication with others, without you knowing it,' Tse says.

In the case of online shopping, Tse suggests people set a cap to purchases. 'Ask yourself this: How much can I afford to lose [if anything happens]?' he says.

Outdated computer crime law

Hong Kong's laws do not help in fighting rising cyber crimes.

Michelle Chan, a partner at international law firm Herbert Smith, says our laws 'addressed the problems that existed in the early 1990s before the internet boom ... and there has been little progress in legislative development since 1993'.

Hong Kong's current Theft Ordinance does not recognise one's identity - much less virtual identity - as someone's personal property, which should be protected, she says.

Both the US and Britain have tougher identity theft laws. Hong Kong law allows criminals who 'impersonate' their victims online to escape prosecution. Adding to the challenge is the city's lack of jurisdiction to chase cyber criminals beyond its own borders. That makes it difficult for police to prosecute overseas offenders.

Ways to protect yourself

Although hackers have become more sophisticated, you can protect yourself using old-school techniques, such as protecting your password, says Nathan Wang, vice-president of Technical Divisions at Kaspersky Lab, Asia-Pacific.

'You should always use different passwords for different sites and adopt a good one with a combination of digits and letters, and change it regularly. Be aware of suspicious websites and trust your instinct. Take extra caution when you're using a public WiFi,' he says.

'Most importantly, you must install security softwares on your phone from a reliable vendor, just as you'd do on your computer. In the end, it is still your responsibility to protect yourself from these threats.'

To scan or not to scan: the danger of QR codes

You have probably seen it everywhere - from newspapers to posters at MTR stations. You have probably scanned it on your phone.

The QR code (Quick Response Code) is a two dimensional bar code which can store a huge amount of data. Originally invented in 1994 by Toyota to track vehicles, it has now become a popular marketing tool, especially in advertising.

A QR code can store virtually any information with a huge amount of data, including a URL address.

A user only needs to scan the code with a smartphone supplied with a code reader application to access the information or another website that is preset in the code.

In this digital era where speed and accessibility are the rules of the game, this convenient and fun technology is fast gaining popularity.

But there is potential danger in the little, square-patterned box. Once scanned, a QR code may take you to a malicious website or download an unwanted application (including a virus) onto your phone - and you won't even know it.

'When you scan a code, all you see is an image. You won't be able to see what's inside,' says Devindar Kumar , 21, a third-year student at the National Institute of Technology in Warangal, India.

'You think it's a bargain deal but you can be directed to a hacker's system without you even knowing it. The hacker can then access your phone to steal any information on it. He can also use your phone whenever and for whatever purpose he wants.

'Anyone can generate a QR code on the internet for free. This is also where the danger lies.'

Kumar was one of the students who attended the Kaspersky Lab Asia Pacific & Middle East and Africa CUP 2012 Conference. The conference was co-hosted by Kaspersky Lab and CityU.

He presented his design of a protective system for mobile users against malicious QR codes. His design helps a user detect the actual URL behind the code, including converting a short URL to an extensive one with more information. It also looks for suspicious or blacklisted keywords common on phishing sites.

Kumar thinks while it is not practical for us to abandon technology, we need to remain sceptical. You should install security software, he advises.

'Don't scan every code you see and think it's safe. Nothing is 100 per cent safe,' he adds.


'There's a disconnect between Hong Kong people's high interest in using online and mobile payment methods with their low awareness and readiness to protect themselves against the potential risks'

Charles Mok, chairman of Internet Society Hong Kong

'I hope cyber crime will not get worse but it will. We've observed the trend of targeted attacks by hackers on big companies and industries in the world'

Nathan Wang, vice-president of Technical Divisions, Kaspersky Lab, Asia-Pacific

'There are very few internet security systems available for smartphones compared with tethered systems, but this should not prevent users from taking precautions such as avoiding downloading applications from suspicious websites. Users should treat a smartphone like a PC, which means installing as much security as possible'

Roy Ko, manager of Hong Kong's Computer Emergency Response Team Co-ordination Centre

Timeline: Examples of cybercrimes

April 2011

The Sony PlayStation Network is breached and data from 77 million users are stolen. They include names, addresses and possibly credit card details.

August 18, 2011

A 28-year-old businessman, Tse Man-lai, is arrested for involvement in cyber attacks on the Hong Kong Stock Exchange's website. The attacks forced a halt in the trading of seven listed companies. Investigators find that the attacks had been helped by a network of computers located on the mainland, Russia, Japan and Singapore.

January 2012

Hackers in a group called Private X bring down Philippine Vice-President Jejomar Binay's website and several government sites on New Year's Day.

March 2012

Eight government-run websites on the mainland are hacked and defaced by a notorious international hacker group called Anonymous. The group leaves a message on a site, saying: 'All these years, the Chinese Communist government has subjected its people to unfair laws and unhealthy processes. You are not infallible. Today websites are hacked, tomorrow it will be your vile regime that will fall.'

March 2012

A major cyber-intrusion at Global Payments, an Atlanta-based payment processor, is under investigation. The attack has put millions of MasterCard, Visa, American Express and Discover cardholders at risk.

16 March 2012

Hong Kong's Chinese Gold & Silver exchange is hacked with posts of false rumours about its members. Clients are blocked from accessing online trading. The hackers also threaten members with more severe attacks unless they pay at least HK$100,000.

March 23, 2012

A University of Hong Kong website, which lets the citizens of Hong Kong cast a vote for their next leader, is hacked by males aged 17 and 28. Both are arrested.

This is an edited collection of stories published in the SCMP on March 2, 28, 29 & 30, 2012, and September 5, 2011. Additional reporting by Mabel Sieh